Hi Max,
thanks for the examples.
During IETF98, I was the one to speak up in favour of #pkcs7;
One reason only: It is transported by EST that is used by BRSKI.
All the code is already present.
Doing JWS/COSE or JWT/CWT needs additional code.
I am sensitive to the payload size argument though.
But, suppose the JWS or JWT is adopted to reduce the payload,
where will the optimizations stop?
Will you envisage to optimize the EST payloads as well?
Cheerio,
Peter
Max Pritikin (pritikin) schreef op 2017-04-18 20:08:
Folks, in Chicago we discussed the signing method for vouchers.
Because the voucher is JSON, and there is expectation of a CBOR
encoding for future work, there is an open discussion point about
using the JWS/COSE signing methods; if not JWT/CWT. There was brief
discussion of this at IETF98 and one person indicated they liked
PKCS7, others indicates JWT and others did not speak up. Fully meeting
minutes might provide more information but my recollection was that
we’d move the discussion to the list. This thread is for that
discussion.
The current text of draft-ietf-anima-voucher-02 is:
The voucher is signed a PKCS#7 SignedData structure, as specified by
Section 9.1
of [RFC2315], encoded using ASN.1 distinguished encoding rules (DER),
as specified in ITU-T X.690.
For concrete discussion, the proposed change is:
The voucher is a JWT [RFC7519] signed token.
I’ve updated my tooling that was used during the IETF98 hackathon to
support a JWT token format; I did this as homework to be informed for
the discussion.
MY POSITION: is that I appreciate the simplicity of the JWS signing
and feel it is a good match for us. It was easy enough to implement,
was a refreshing change from the ASN1 complexity of PKCS7, and seems
to provide a good path toward CBOR/COSE in a future document without
maintaining PKCS7/CMS technical debt or revisiting/rewriting too much.
QUESTION FOR THE WORKING GROUP: What is your position? Why?
What follows is a dump of the raw JWS before signing (the equivalent
PKCS7/CMS structure would be the SignedData asn1 structures which is
hard to capture). After that is an encoded and signed voucher. Further
below is an example of a PKCS7 signed voucher.
Please note these characteristics:
a) From JWT RFC7519 "JWTs are always represented using the JWS Compact
Serialization”. There are some JWT headers that overlap with voucher
fields. I’m using JWT here; but the distinction between JWS/JWT is not
fundamental to our discussion. The important point is JWS vs PKCS7.
b) I’ve added the x5c header to the JWS. This is used to carry the
certificate chain of the signer. Our current voucher format indicates
PKCS7 which supports an equivalent field called “CertificateSet
structure”. Its in the BRSKI document that we specify "The entire
certificate chain, up to and including the Domain CA, MUST be included
in the CertificateSet structure”. With the transition to JWT we’d be
specifying that the x5c header be fully populated up to an including
the Domain CA etc.
c) From these examples we can’t directly compare size encodings. I
don’t think this is a significant aspect of the conversation but can
create comparable examples if folks feel that is necessary.
The dumps:
A debug dump of the JWT form before encoding:
{
"typ": "JWT",
"alg": "ES256",
"x5c":
["MIIBdjCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjArMRYwFAYDVQQKDA1DaXNjbyBTeXN0ZW1zMREwDwYDVQQDDAhWZW5kb3JDQTAeFw0xNzA0MDMxNTE1NDVaFw0xODA0MDMxNTE1NDVaMC0xFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxEzARBgNVBAMMClZlbmRvck1BU0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT9GTrDd0GWgwcuSy8LCn0waMeknpLznajZzqWlLhrPwshgIPIPvbyY6IyCo4uBYU/e4OO6TQD9UVLlyU5R6cA6ozAwLjALBgNVHQ8EBAMCBaAwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwCgYIKoZIzj0EAwIDRwAwRAIgAQ8YR2IdLodEE8k+JxpBOIAGuzCeT9BmFOVhFUb8eJMCIC23Goss6manRjNSmh6+2oB9tsRbjmnnwuMlDXR8fzug",
"MIIBnTCCAUOgAwIBAgIJAK9Pd5G+/r0UMAoGCCqGSM49BAMCMCsxFjAUBgNVBAoMDUNpc2NvIFN5c3RlbXMxETAPBgNVBAMMCFZlbmRvckNBMB4XDTE3MDQwMzE0MTAwNVoXDTE4MDQwMzE0MTAwNVowKzEWMBQGA1UECgwNQ2lzY28gU3lzdGVtczERMA8GA1UEAwwIVmVuZG9yQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASunsQL2PVOSFWWp0oCjlqF8iVPPpEgJct931CZQ6assp07otmfgZqXsk1JYRTlKCGjROxrAiVRQsB54ioA0yu0o1AwTjAdBgNVHQ4EFgQUR4oEpb4YFuelkMrQjlnKtM01ovEwHwYDVR0jBBgwFoAUR4oEpb4YFuelkMrQjlnKtM01ovEwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEA+SSOhiNQ23RWA76kZ/2u70FCpU8OsU7X9IRiWGDgIAgCIFLu8FnJuqPx10sgHvIzqI5BgOcwCa5vFQZdCDBHIx18"]
}
.
{
"ietf-voucher:voucher": {
"assertion": "logging",
"domain-cert-trusted-ca": "-----BEGIN
CERTIFICATE-----\nMIIBUjCB+qADAgECAgkAwP4qKsGyQlYwCgYIKoZIzj0EAwIwFzEVMBMGA1UEAwwM\nZXN0RXhhbXBsZUNBMB4XDTE3MDMyNTIyMTc1MFoXDTE4MDMyNTIyMTc1MFowFzEV\nMBMGA1UEAwwMZXN0RXhhbXBsZUNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nRVrNlEN2ocYscAILBU7NggABo0JgA1rEGdYdCQj1nHKL6xKONJIUfBibe6iMVYd3\nRUmPwaPiHNZJ98kRwHIwnKMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU+dVX\naXoucU1godNF0bycS1U5W54wCgYIKoZIzj0EAwIDRwAwRAIgNsCGjpEjuvz6OKJ/\n3rOvMc2ZfDhD02K+0PCVFJGCQGwCIAzf3BS6x9kKSROJJvxDSpg0QK9+b9LSFkbZ\nM1PW98AN\n-----END
CERTIFICATE-----\n",
"nonce": "ea7102e8e88f119e",
"serial-number": "PID:1 SN:widget1",
"serial-number-issuer":
"36097E3DEA39316EA4CE5C695BE905E78AF2FB5A",
"version": "1"
}
}
.
[signature goes here]
As per JWT RFC7519 this is what it looks like after URL-safe encoding.
You can see that now the signature is included (look to the second to
last line to see the second “.” followed by a valid signature):
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsICAgICJ4NWMiOlsiTUlJQmRqQ0NBUjJnQXdJQkFnSUJBVEFLQmdncWhrak9QUVFEQWpBck1SWXdGQVlEVlFRS0RBMURhWE5qYnlCVGVYTjBaVzF6TVJFd0R3WURWUVFEREFoV1pXNWtiM0pEUVRBZUZ3MHhOekEwTURNeE5URTFORFZhRncweE9EQTBNRE14TlRFMU5EVmFNQzB4RmpBVUJnTlZCQW9NRFVOcGMyTnZJRk41YzNSbGJYTXhFekFSQmdOVkJBTU1DbFpsYm1SdmNrMUJVMEV3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVQ5R1RyRGQwR1dnd2N1U3k4TENuMHdhTWVrbnBMem5halp6cVdsTGhyUHdzaGdJUElQdmJ5WTZJeUNvNHVCWVUvZTRPTzZUUUQ5VVZMbHlVNVI2Y0E2b3pBd0xqQUxCZ05WSFE4RUJBTUNCYUF3SHdZRFZSMGpCQmd3Rm9BVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdBUThZUjJJZExvZEVFOGsrSnhwQk9JQUd1ekNlVDlCbUZPVmhGVWI4ZUpNQ0lDMjNHb3NzNm1hblJqTlNtaDYrMm9COXRzUmJqbW5ud3VNbERYUjhmenVnIiwiTUlJQm5UQ0NBVU9nQXdJQkFnSUpBSzlQZDVHKy9yMFVNQW9HQ0NxR1NNNDlCQU1DTUNzeEZqQVVCZ05WQkFvTURVTnBjMk52SUZONWMzUmxiWE14RVRBUEJnTlZCQU1NQ0ZabGJtUnZja05CTUI0WERURTNNRFF3TXpFME1UQXdOVm9YRFRFNE1EUXdNekUwTVRBd05Wb3dLekVXTUJRR0ExVUVDZ3dOUTJselkyOGdVM2x6ZEdWdGN6RVJNQThHQTFVRUF3d0lWbV
Z1Wkc5eVEwRXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CQndOQ0FBU3Vuc1FMMlBWT1NGV1dwMG9DamxxRjhpVlBQcEVnSmN0OTMxQ1pRNmFzc3AwN290bWZnWnFYc2sxSllSVGxLQ0dqUk94ckFpVlJRc0I1NGlvQTB5dTBvMUF3VGpBZEJnTlZIUTRFRmdRVVI0b0VwYjRZRnVlbGtNclFqbG5LdE0wMW92RXdId1lEVlIwakJCZ3dGb0FVUjRvRXBiNFlGdWVsa01yUWpsbkt0TTAxb3ZFd0RBWURWUjBUQkFVd0F3RUIvekFLQmdncWhrak9QUVFEQWdOSUFEQkZBaUVBK1NTT2hpTlEyM1JXQTc2a1ovMnU3MEZDcFU4T3NVN1g5SVJpV0dEZ0lBZ0NJRkx1OEZuSnVxUHgxMHNnSHZJenFJNUJnT2N3Q2E1dkZRWmRDREJISXgxOCJdfQ.eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJsb2dnaW5nIiwiZG9tYWluLWNlcnQtdHJ1c3RlZC1jYSI6Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJQlVqQ0IrcUFEQWdFQ0Fna0F3UDRxS3NHeVFsWXdDZ1lJS29aSXpqMEVBd0l3RnpFVk1CTUdBMVVFQXd3TVxuWlhOMFJYaGhiWEJzWlVOQk1CNFhEVEUzTURNeU5USXlNVGMxTUZvWERURTRNRE15TlRJeU1UYzFNRm93RnpFVlxuTUJNR0ExVUVBd3dNWlhOMFJYaGhiWEJzWlVOQk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVxuUlZyTmxFTjJvY1lzY0FJTEJVN05nZ0FCbzBKZ0ExckVHZFlkQ1FqMW5IS0w2eEtPTkpJVWZCaWJlNmlNVllkM1xuUlVtUHdhUGlITlpKOThrUndISXduS012T
UMwd0RBWURWUjBUQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVK2RWWFxuYVhvdWNVMWdvZE5GMGJ5Y1MxVTVXNTR3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnTnNDR2pwRWp1dno2T0tKL1xuM3JPdk1jMlpmRGhEMDJLKzBQQ1ZGSkdDUUd3Q0lBemYzQlM2eDlrS1NST0pKdnhEU3BnMFFLOStiOUxTRmtiWlxuTTFQVzk4QU5cbi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS1cbiIsIm5vbmNlIjoiZWE3MTAyZThlODhmMTE5ZSIsInNlcmlhbC1udW1iZXIiOiJQSUQ6MSBTTjp3aWRnZXQxIiwic2VyaWFsLW51bWJlci1pc3N1ZXIiOiIzNjA5N0UzREVBMzkzMTZFQTRDRTVDNjk1QkU5MDVFNzhBRjJGQjVBIiwidmVyc2lvbiI6IjEifX0.QkTUpcxv6Ng6ylyWYnlqun-5SFhD1XwLIW1kD7Y9dNwioheNMcVnowkELl_EMClyOWuLvvWuoCHAcWz_UA0IGw
Here is an equivalent PKCS7 voucher via asn1 dump. You’d have to look
at the binary if you really want to decode it. This voucher was
generated by MCR during the hackathon:
pritikin@ubuntu:~/src/brski-project/brski_msgs$ openssl asn1parse -in
mcr.voucher.txt.pkcs7
0:d=0 hl=4 l=2706 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=2691 cons: cont [ 0 ]
19:d=2 hl=4 l=2687 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 15 cons: SET
28:d=4 hl=2 l= 13 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=5 hl=2 l= 0 prim: NULL
43:d=3 hl=4 l=1644 cons: SEQUENCE
47:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
58:d=4 hl=4 l=1629 cons: cont [ 0 ]
62:d=5 hl=4 l=1625 prim: OCTET STRING
:{"ietf-voucher:voucher":{"nonce":"62a2e7693d82fcda2624de58fb6722e5","created-on":"2017-01-01T00:00:00.000Z","device-identifier":"00-d0-e5-f2-00-01","assertion":"logged","owner":"MIIEEzCCAvugAwIBAgIJAK6rFouvk+7YMA0GCSqGSIb3DQEBCwUAMIGfMQsw\nCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdh\nMRowGAYDVQQKDBFPd25lciBFeGFtcGxlIE9uZTERMA8GA1UECwwITm90IFZl\ncnkxGzAZBgNVBAMMEm93bmVyMS5leGFtcGxlLmNvbTEhMB8GCSqGSIb3DQEJ\nARYSb3duZXIxQGV4YW1wbGUuY29tMB4XDTE3MDMyNTE2MjkzNFoXDTE3MDQy\nNDE2MjkzNFowgZ8xCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8w\nDQYDVQQHDAZPdHRhd2ExGjAYBgNVBAoMEU93bmVyIEV4YW1wbGUgT25lMREw\nDwYDVQQLDAhOb3QgVmVyeTEbMBkGA1UEAwwSb3duZXIxLmV4YW1wbGUuY29t\nMSEwHwYJKoZIhvcNAQkBFhJvd25lcjFAZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4QYAEnTtXgiKqsfSVYkgkHddFcP34\nOU3YP7ibrsgx0i9cyj7xOzWHOF2PsoKBgTRH75MSMhTl5UidrCszlluK+qp4\nd3Zg31oQM/HDmyRJyRpY+PC1n5Vx/Mj5VagRQbqG7XTDQCfCrhqIKrKBTuPQ\n4vYKeL0tQk4UJlPIoZXEmBk5dkn/Fzl9AfIZSvUzQ1QAhQ9oaLz5Nf5MWHPK\nUY+6b2zA/yQaX
duPrVuxp7xCj11C/Ljlhl1/Hx16MJrV33MCbd+RKW711D/3\n0XlWSqEprdbKbqw8WMPjuJ1aoX8aQEWoL+xbomRQQJJoFaMPlzgdDcfoAHDU\nTsxd0+FN8pFHAgMBAAGjUDBOMB0GA1UdDgQWBBSqp5TwQtHsQy9oYLZb0D5W\n+licHDAfBgNVHSMEGDAWgBSqp5TwQtHsQy9oYLZb0D5W+licHDAMBgNVHRME\nBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBgSQGacjwxmbRrrBhW63gY5KaW\nim76rG45p3uh9A8WUfMWryCUufrFOm/QEJnlUUK3QX4KEVj2eywb9gsfkiCE\nyaJzxe665Q2BrWwe3rGVkAhO/fn8upec4E1ASc31ASaF8m+pYqCCPSflL5kV\nMefHG4lEs3XJkHceClRzyXvjb5Kj/u02C5YCjcALYd8/kcSbf4joe1GufvKF\n5wvPBPkRVfbW2KagL+jw62j+8U6oB7FbxtFyqQP1YoZGia9MkPKnK+yg5o/0\ncZ57hgk4mQmM1i82RrUZQVoBP3CD5LdBJZfJoXstRlXe6dX7+TisdSAspp5e\nhNm0BcqdLK+z8ntt\n"}}
1691:d=3 hl=4 l= 557 cons: cont [ 0 ]
1695:d=4 hl=4 l= 553 cons: SEQUENCE
1699:d=5 hl=4 l= 431 cons: SEQUENCE
1703:d=6 hl=2 l= 3 cons: cont [ 0 ]
1705:d=7 hl=2 l= 1 prim: INTEGER :02
1708:d=6 hl=2 l= 1 prim: INTEGER :01
1711:d=6 hl=2 l= 10 cons: SEQUENCE
1713:d=7 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
1723:d=6 hl=2 l= 77 cons: SEQUENCE
1725:d=7 hl=2 l= 18 cons: SET
1727:d=8 hl=2 l= 16 cons: SEQUENCE
1729:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
1741:d=9 hl=2 l= 2 prim: IA5STRING :ca
1745:d=7 hl=2 l= 25 cons: SET
1747:d=8 hl=2 l= 23 cons: SEQUENCE
1749:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
1761:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
1772:d=7 hl=2 l= 28 cons: SET
1774:d=8 hl=2 l= 26 cons: SEQUENCE
1776:d=9 hl=2 l= 3 prim: OBJECT :commonName
1781:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA
1802:d=6 hl=2 l= 30 cons: SEQUENCE
1804:d=7 hl=2 l= 13 prim: UTCTIME :160507023655Z
1819:d=7 hl=2 l= 13 prim: UTCTIME :180507023655Z
1834:d=6 hl=2 l= 77 cons: SEQUENCE
1836:d=7 hl=2 l= 18 cons: SET
1838:d=8 hl=2 l= 16 cons: SEQUENCE
1840:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
1852:d=9 hl=2 l= 2 prim: IA5STRING :ca
1856:d=7 hl=2 l= 25 cons: SET
1858:d=8 hl=2 l= 23 cons: SEQUENCE
1860:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
1872:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
1883:d=7 hl=2 l= 28 cons: SET
1885:d=8 hl=2 l= 26 cons: SEQUENCE
1887:d=9 hl=2 l= 3 prim: OBJECT :commonName
1892:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA
1913:d=6 hl=2 l= 118 cons: SEQUENCE
1915:d=7 hl=2 l= 16 cons: SEQUENCE
1917:d=8 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
1926:d=8 hl=2 l= 5 prim: OBJECT :secp384r1
1933:d=7 hl=2 l= 98 prim: BIT STRING
2033:d=6 hl=2 l= 99 cons: cont [ 3 ]
2035:d=7 hl=2 l= 97 cons: SEQUENCE
2037:d=8 hl=2 l= 15 cons: SEQUENCE
2039:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic
Constraints
2044:d=9 hl=2 l= 1 prim: BOOLEAN :255
2047:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
2054:d=8 hl=2 l= 14 cons: SEQUENCE
2056:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
2061:d=9 hl=2 l= 1 prim: BOOLEAN :255
2064:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106
2070:d=8 hl=2 l= 29 cons: SEQUENCE
2072:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key
Identifier
2077:d=9 hl=2 l= 22 prim: OCTET STRING [HEX
DUMP]:0414258EDF2D51788F0CEC872A22FBD4FEBE0676EB07
2101:d=8 hl=2 l= 31 cons: SEQUENCE
2103:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key
Identifier
2108:d=9 hl=2 l= 24 prim: OCTET STRING [HEX
DUMP]:30168014258EDF2D51788F0CEC872A22FBD4FEBE0676EB07
2134:d=5 hl=2 l= 10 cons: SEQUENCE
2136:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
2146:d=5 hl=2 l= 104 prim: BIT STRING
2252:d=3 hl=4 l= 454 cons: SET
2256:d=4 hl=4 l= 450 cons: SEQUENCE
2260:d=5 hl=2 l= 1 prim: INTEGER :01
2263:d=5 hl=2 l= 82 cons: SEQUENCE
2265:d=6 hl=2 l= 77 cons: SEQUENCE
2267:d=7 hl=2 l= 18 cons: SET
2269:d=8 hl=2 l= 16 cons: SEQUENCE
2271:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
2283:d=9 hl=2 l= 2 prim: IA5STRING :ca
2287:d=7 hl=2 l= 25 cons: SET
2289:d=8 hl=2 l= 23 cons: SEQUENCE
2291:d=9 hl=2 l= 10 prim: OBJECT :domainComponent
2303:d=9 hl=2 l= 9 prim: IA5STRING :sandelman
2314:d=7 hl=2 l= 28 cons: SET
2316:d=8 hl=2 l= 26 cons: SEQUENCE
2318:d=9 hl=2 l= 3 prim: OBJECT :commonName
2323:d=9 hl=2 l= 19 prim: UTF8STRING :Unstrung Highway CA
2344:d=6 hl=2 l= 1 prim: INTEGER :01
2347:d=5 hl=2 l= 13 cons: SEQUENCE
2349:d=6 hl=2 l= 9 prim: OBJECT :sha256
2360:d=6 hl=2 l= 0 prim: NULL
2362:d=5 hl=3 l= 228 cons: cont [ 0 ]
2365:d=6 hl=2 l= 24 cons: SEQUENCE
2367:d=7 hl=2 l= 9 prim: OBJECT :contentType
2378:d=7 hl=2 l= 11 cons: SET
2380:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
2391:d=6 hl=2 l= 28 cons: SEQUENCE
2393:d=7 hl=2 l= 9 prim: OBJECT :signingTime
2404:d=7 hl=2 l= 15 cons: SET
2406:d=8 hl=2 l= 13 prim: UTCTIME :170325220308Z
2421:d=6 hl=2 l= 47 cons: SEQUENCE
2423:d=7 hl=2 l= 9 prim: OBJECT :messageDigest
2434:d=7 hl=2 l= 34 cons: SET
2436:d=8 hl=2 l= 32 prim: OCTET STRING [HEX
DUMP]:552DD2EE5CBC4C7C4D207F98A2519F031EE10074D674265A7DD0CA73E68BE57D
2470:d=6 hl=2 l= 121 cons: SEQUENCE
2472:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities
2483:d=7 hl=2 l= 108 cons: SET
2485:d=8 hl=2 l= 106 cons: SEQUENCE
2487:d=9 hl=2 l= 11 cons: SEQUENCE
2489:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc
2500:d=9 hl=2 l= 11 cons: SEQUENCE
2502:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc
2513:d=9 hl=2 l= 11 cons: SEQUENCE
2515:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc
2526:d=9 hl=2 l= 10 cons: SEQUENCE
2528:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
2538:d=9 hl=2 l= 14 cons: SEQUENCE
2540:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
2550:d=10 hl=2 l= 2 prim: INTEGER :80
2554:d=9 hl=2 l= 13 cons: SEQUENCE
2556:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
2566:d=10 hl=2 l= 1 prim: INTEGER :40
2569:d=9 hl=2 l= 7 cons: SEQUENCE
2571:d=10 hl=2 l= 5 prim: OBJECT :des-cbc
2578:d=9 hl=2 l= 13 cons: SEQUENCE
2580:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc
2590:d=10 hl=2 l= 1 prim: INTEGER :28
2593:d=5 hl=2 l= 10 cons: SEQUENCE
2595:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
2605:d=5 hl=2 l= 103 prim: OCTET STRING [HEX
DUMP]:3065023100E60EAF73A69826077CF6B760AF9BD1C9BF723D0E84812B06B5A8B7C252362394D98E1B5B4C02D8ACD8DA5BD2248D51EA02306B5BDBDFFBB022A1E039A1847259D2E0AA332E12D24053B3E7ECA6D18EA821E29A53D93EE3BA4DE7D8C594C51736511C
And this is the “encoded” form:
-----BEGIN PKCS7-----
MIIKkgYJKoZIhvcNAQcCoIIKgzCCCn8CAQExDzANBglghkgBZQMEAgEFADCCBmwG
CSqGSIb3DQEHAaCCBl0EggZZeyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6eyJub25j
ZSI6IjYyYTJlNzY5M2Q4MmZjZGEyNjI0ZGU1OGZiNjcyMmU1IiwiY3JlYXRlZC1v
biI6IjIwMTctMDEtMDFUMDA6MDA6MDAuMDAwWiIsImRldmljZS1pZGVudGlmaWVy
IjoiMDAtZDAtZTUtZjItMDAtMDEiLCJhc3NlcnRpb24iOiJsb2dnZWQiLCJvd25l
ciI6Ik1JSUVFekNDQXZ1Z0F3SUJBZ0lKQUs2ckZvdXZrKzdZTUEwR0NTcUdTSWIz
RFFFQkN3VUFNSUdmTVFzd1xuQ1FZRFZRUUdFd0pEUVRFUU1BNEdBMVVFQ0F3SFQy
NTBZWEpwYnpFUE1BMEdBMVVFQnd3R1QzUjBZWGRoXG5NUm93R0FZRFZRUUtEQkZQ
ZDI1bGNpQkZlR0Z0Y0d4bElFOXVaVEVSTUE4R0ExVUVDd3dJVG05MElGWmxcbmNu
a3hHekFaQmdOVkJBTU1FbTkzYm1WeU1TNWxlR0Z0Y0d4bExtTnZiVEVoTUI4R0NT
cUdTSWIzRFFFSlxuQVJZU2IzZHVaWEl4UUdWNFlXMXdiR1V1WTI5dE1CNFhEVEUz
TURNeU5URTJNamt6TkZvWERURTNNRFF5XG5OREUyTWprek5Gb3dnWjh4Q3pBSkJn
TlZCQVlUQWtOQk1SQXdEZ1lEVlFRSURBZFBiblJoY21sdk1ROHdcbkRRWURWUVFI
REFaUGRIUmhkMkV4R2pBWUJnTlZCQW9NRVU5M2JtVnlJRVY0WVcxd2JHVWdUMjVs
TVJFd1xuRHdZRFZRUUxEQWhPYjNRZ1ZtVnllVEViTUJrR0ExVUVBd3dTYjNkdVpY
SXhMbVY0WVcxd2JHVXVZMjl0XG5NU0V3SHdZSktvWklodmNOQVFrQkZoSnZkMjVs
Y2pGQVpYaGhiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdcblNJYjNEUUVCQVFVQUE0
SUJEd0F3Z2dFS0FvSUJBUUM0UVlBRW5UdFhnaUtxc2ZTVllrZ2tIZGRGY1AzNFxu
T1UzWVA3aWJyc2d4MGk5Y3lqN3hPeldIT0YyUHNvS0JnVFJINzVNU01oVGw1VWlk
ckNzemxsdUsrcXA0XG5kM1pnMzFvUU0vSERteVJKeVJwWStQQzFuNVZ4L01qNVZh
Z1JRYnFHN1hURFFDZkNyaHFJS3JLQlR1UFFcbjR2WUtlTDB0UWs0VUpsUElvWlhF
bUJrNWRrbi9Gemw5QWZJWlN2VXpRMVFBaFE5b2FMejVOZjVNV0hQS1xuVVkrNmIy
ekEveVFhWGR1UHJWdXhwN3hDajExQy9MamxobDEvSHgxNk1KclYzM01DYmQrUktX
NzExRC8zXG4wWGxXU3FFcHJkYkticXc4V01QanVKMWFvWDhhUUVXb0wreGJvbVJR
UUpKb0ZhTVBsemdkRGNmb0FIRFVcblRzeGQwK0ZOOHBGSEFnTUJBQUdqVURCT01C
MEdBMVVkRGdRV0JCU3FwNVR3UXRIc1F5OW9ZTFpiMEQ1V1xuK2xpY0hEQWZCZ05W
SFNNRUdEQVdnQlNxcDVUd1F0SHNReTlvWUxaYjBENVcrbGljSERBTUJnTlZIUk1F
XG5CVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmdTUUdhY2p3eG1i
UnJyQmhXNjNnWTVLYVdcbmltNzZyRzQ1cDN1aDlBOFdVZk1XcnlDVXVmckZPbS9R
RUpubFVVSzNRWDRLRVZqMmV5d2I5Z3Nma2lDRVxueWFKenhlNjY1UTJCcld3ZTNy
R1ZrQWhPL2ZuOHVwZWM0RTFBU2MzMUFTYUY4bStwWXFDQ1BTZmxMNWtWXG5NZWZI
RzRsRXMzWEprSGNlQ2xSenlYdmpiNUtqL3UwMkM1WUNqY0FMWWQ4L2tjU2JmNGpv
ZTFHdWZ2S0ZcbjV3dlBCUGtSVmZiVzJLYWdMK2p3NjJqKzhVNm9CN0ZieHRGeXFR
UDFZb1pHaWE5TWtQS25LK3lnNW8vMFxuY1o1N2hnazRtUW1NMWk4MlJyVVpRVm9C
UDNDRDVMZEJKWmZKb1hzdFJsWGU2ZFg3K1Rpc2RTQXNwcDVlXG5oTm0wQmNxZExL
K3o4bnR0XG4ifX2gggItMIICKTCCAa+gAwIBAgIBATAKBggqhkjOPQQDAjBNMRIw
EAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHDAa
BgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwHhcNMTYwNTA3MDIzNjU1WhcNMTgw
NTA3MDIzNjU1WjBNMRIwEAYKCZImiZPyLGQBGRYCY2ExGTAXBgoJkiaJk/IsZAEZ
FglzYW5kZWxtYW4xHDAaBgNVBAMME1Vuc3RydW5nIEhpZ2h3YXkgQ0EwdjAQBgcq
hkjOPQIBBgUrgQQAIgNiAASqSixrp/Zj0Omnzho8bLONYgrPsxrL3DTmJkqiyZ4T
we/LK3+/iwBgWnohKrOVvO1POtaDHdBuiUjX2CBM66Fg18NSyvwzEJEtFLutFL7S
cjDYA8JzPLClw0zt/YBad+CjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
BAQDAgEGMB0GA1UdDgQWBBQljt8tUXiPDOyHKiL71P6+BnbrBzAfBgNVHSMEGDAW
gBQljt8tUXiPDOyHKiL71P6+BnbrBzAKBggqhkjOPQQDAgNoADBlAjB6dhfujag2
xQEgOUr19iWwAyOhu9nHUfcqXhGb6i3nDuKfeIU7Am/WzvAAmqAWXyQCMQDTLKaN
vf2k//JcW+4+xapVhW83t8UdlMk0+Eoe/YnKPj/a1WIOuzzh6zJtCYjlimYxggHG
MIIBwgIBATBSME0xEjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkW
CXNhbmRlbG1hbjEcMBoGA1UEAwwTVW5zdHJ1bmcgSGlnaHdheSBDQQIBATANBglg
hkgBZQMEAgEFAKCB5DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3
DQEJBTEPFw0xNzAzMjUyMjAzMDhaMC8GCSqGSIb3DQEJBDEiBCBVLdLuXLxMfE0g
f5iiUZ8DHuEAdNZ0Jlp90Mpz5ovlfTB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqG
SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB
KDAKBggqhkjOPQQDAgRnMGUCMQDmDq9zppgmB3z2t2Cvm9HJv3I9DoSBKwa1qLfC
UjYjlNmOG1tMAtis2Npb0iSNUeoCMGtb29/7sCKh4DmhhHJZ0uCqMy4S0kBTs+fs
ptGOqCHimlPZPuO6TefYxZTFFzZRHA==
-----END PKCS7-----
_______________________________________________
Anima-bootstrap mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima-bootstrap
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
